Interval Leisure Group turned to a simplified, streamlined approach to privilege management to provide role-based access controls for workers and consultants.

One of the trickier aspects of managing large groups of users is ensuring that the right people have access to the right files and data—and that those lacking appropriate privileges are prevented from gaining access. The Interval Leisure Group, a timeshare exchange that has existed since 1976 and offers nontraditional lodging in 80 countries, found itself with a rapidly expanding number of Linux hosts as it undertook an IT transformation that began in 2008.

"We recognized a need for a faster and more efficient SOA [service-oriented architecture] platform and [knew] a migration was critical," says Sasan Hamidi, chief information security officer at Interval.

But access management became an operational and security challenge once the company reached about 300 hosts.

"Simple tasks, like changing administrative passwords every 90 days, were extremely difficult," he explains. "Admins had to log into every host manually and make changes. The result was a huge expenditure of time and a large number of errors."

In fact, when the security team performed audits, it found that many credentials were out of compliance. At that point, "It was clear that we couldn't manage privileges effectively for a very critical platform," he recalls.

Taking a Streamlined Approach

After considering various solutions, Interval Leisure Group turned to identity management solutions vendor Centrify to connect its servers to Active Directory and enable a more simplified and streamlined approach to privilege management.

The solution let Interval Leisure Group adopt a least-privilege approach to role-based access controls for employees, contractors and consultants. The firm can manage credentials with highly granular capabilities. So far, it has rolled out the platform to more than 450 Windows, Linux and UNIX systems.

Creating different access groups and zones—including developers, Web administrators and quality assurance staff—has simplified and improved access controls by an order of magnitude. The technology also makes it possible to record sessions and later review them.

"We can go back and see exactly what happened and where any problems exist," Hamidi says. "In addition, we can use the recorded session later for training purposes."

Hamidi says that the biggest challenges revolved around internal staff turnover during the transition and the training required to use the system.

"We also had some QA and development challenges, including a need to change system clocks periodically, so we had to make some adjustments and exceptions for these events," he explains. "But the transition process went relatively smoothly."

Along the way, the company also discovered better ways to manage groups of users. "We realized that the solution introduced features that allowed us to improve internal processes," he adds.

The results have been impressive. The platform streamlines user on-boarding and off-boarding, and it helps the company meet and prove compliance under PCI guidelines.

It also has streamlined reporting related to audit and compliance and has reduced attack surfaces through the least privilege model. In fact, staff can view activity and repots in real time.

Overall, Hamidi says that the Interval Leisure Group is saving roughly 1,400 staff hours per quarter. "We're talking about a 75 percent saving in staff hours alone for managing simple tasks like password reset and password management," he reports. "We have improved processes and gained benefits that we did not imagine."

Samuel Greengard writes about business and technology for Baseline, CIO Insight and other publications. His most recent book is The Internet of Things (MIT Press, 2015).